From 33a813613a9f48acba0e88f4c51a6a25259bbebc Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Mon, 3 Dec 2012 09:50:24 +1100 Subject: - djm@cvs.openbsd.org 2012/12/02 20:42:15 [ssh-add.1 ssh-add.c] make deleting explicit keys "ssh-add -d" symmetric with adding keys - try to delete the corresponding certificate too and respect the -k option to allow deleting of the key only; feedback and ok markus@ --- ssh-add.c | 38 +++++++++++++++++++++++++++++++------- 1 file changed, 31 insertions(+), 7 deletions(-) (limited to 'ssh-add.c') diff --git a/ssh-add.c b/ssh-add.c index 738644d27..c8936e5ae 100644 --- a/ssh-add.c +++ b/ssh-add.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-add.c,v 1.103 2011/10/18 23:37:42 djm Exp $ */ +/* $OpenBSD: ssh-add.c,v 1.104 2012/12/02 20:42:15 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -96,10 +96,10 @@ clear_pass(void) } static int -delete_file(AuthenticationConnection *ac, const char *filename) +delete_file(AuthenticationConnection *ac, const char *filename, int key_only) { - Key *public; - char *comment = NULL; + Key *public = NULL, *cert = NULL; + char *certpath = NULL, *comment = NULL; int ret = -1; public = key_load_public(filename, &comment); @@ -113,8 +113,32 @@ delete_file(AuthenticationConnection *ac, const char *filename) } else fprintf(stderr, "Could not remove identity: %s\n", filename); - key_free(public); - xfree(comment); + if (key_only) + goto out; + + /* Now try to delete the corresponding certificate too */ + free(comment); + xasprintf(&certpath, "%s-cert.pub", filename); + if ((cert = key_load_public(certpath, &comment)) == NULL) + goto out; + if (!key_equal_public(cert, public)) + fatal("Certificate %s does not match private key %s", + certpath, filename); + + if (ssh_remove_identity(ac, cert)) { + fprintf(stderr, "Identity removed: %s (%s)\n", certpath, + comment); + ret = 0; + } else + fprintf(stderr, "Could not remove identity: %s\n", certpath); + + out: + if (cert != NULL) + key_free(cert); + if (public != NULL) + key_free(public); + free(certpath); + free(comment); return ret; } @@ -354,7 +378,7 @@ static int do_file(AuthenticationConnection *ac, int deleting, int key_only, char *file) { if (deleting) { - if (delete_file(ac, file) == -1) + if (delete_file(ac, file, key_only) == -1) return -1; } else { if (add_file(ac, file, key_only) == -1) -- cgit v1.2.3 From 8a96522482acd40af2e8a08696780a54c00b4feb Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Fri, 7 Dec 2012 13:07:02 +1100 Subject: - markus@cvs.openbsd.org 2012/12/05 15:42:52 [ssh-add.c] prevent double-free of comment; ok djm@ --- ChangeLog | 3 +++ ssh-add.c | 3 ++- 2 files changed, 5 insertions(+), 1 deletion(-) (limited to 'ssh-add.c') diff --git a/ChangeLog b/ChangeLog index 19dc33403..7a3f272e1 100644 --- a/ChangeLog +++ b/ChangeLog @@ -12,6 +12,9 @@ - jmc@cvs.openbsd.org 2012/12/03 08:33:03 [ssh-add.1 sshd_config.5] tweak previous; + - markus@cvs.openbsd.org 2012/12/05 15:42:52 + [ssh-add.c] + prevent double-free of comment; ok djm@ 20121205 - (tim) [defines.h] Some platforms are missing ULLONG_MAX. Feedback djm@. diff --git a/ssh-add.c b/ssh-add.c index c8936e5ae..008084704 100644 --- a/ssh-add.c +++ b/ssh-add.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-add.c,v 1.104 2012/12/02 20:42:15 djm Exp $ */ +/* $OpenBSD: ssh-add.c,v 1.105 2012/12/05 15:42:52 markus Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -118,6 +118,7 @@ delete_file(AuthenticationConnection *ac, const char *filename, int key_only) /* Now try to delete the corresponding certificate too */ free(comment); + comment = NULL; xasprintf(&certpath, "%s-cert.pub", filename); if ((cert = key_load_public(certpath, &comment)) == NULL) goto out; -- cgit v1.2.3